Allocating additional bandwidth to resources in a datacenter through deployment of dedicated gateways

ABSTRACT

Some embodiments provide a method for deploying edge forwarding elements in a public or private software defined datacenter (SDDC). For an entity, the method deploys a default first edge forwarding element to process data message flows between machines of the entity in a first network of the SDDC and machines external to the first network of the SDDC. The method subsequently receives a request to allocate more bandwidth to a first set of the data message flows entering or exiting the first network of the SDDC. In response, the method deploys a second edge forwarding element to process the first set of data message flows of the entity in order to allocate more bandwidth to the first set of the data message flows, while continuing to process a second set of data message flows of the entity through the default first edge node. The method in some embodiments receives the request for more bandwidth by first receiving a request to create a traffic group and then receiving a list of network addresses that are associated with the traffic group. In some embodiments, the method receives the list of network addresses associated with the traffic group by receiving a prefix of network addresses and receiving a request to associate the prefix of network addresses with the traffic group. Based on this request, the method then creates an association between the traffic group and the received prefix of network addresses.

BACKGROUND

Software defined datacenters (SDDCs) are typically protected fromexternal networks by edge routers that perform middlebox serviceoperations, such as firewall, network address translation (NAT), etc.All the external traffic is steered through the edge gateway. Theexternal network bandwidth in an SDDC would be determined by the minimumof edge gateway uplink bandwidth and the host adapter network bandwidth.There are applications with flows that require a large bandwidth thatconsume a considerable amount of edge network capacity. These flows areoften stateful, which require the traffic to be symmetrically processedat the same edge router. There is no solution that addresses these needstoday. Because of this, customers are often asked to split theirapplications across multiple SDDCs so that they can get additionalexternal network bandwidth. Each SDDC comes with its own managementplane and this leads to management overheads. There is a need to be ableto assign the large flows with dedicated bandwidth resource within thesame SDDC.

SUMMARY

Some embodiments of the invention provide a method for deploying edgeforwarding elements in a public or private software defined datacenter(SDDC). For an entity (e.g., tenant, business, department, etc.), themethod deploys a default first edge forwarding element to process datamessage flows between machines of the entity in a first network of theSDDC and machines external to the first network of the SDDC (e.g.,machines outside of the SDDC). The method subsequently receives arequest to allocate more bandwidth to a first set of the data messageflows entering or exiting the first network of the SDDC.

In response, the method deploys a second edge forwarding element toprocess the first set of data message flows of the entity in order toallocate more bandwidth to the first set of the data message flows,while continuing to process a second set of data message flows of theentity through the default first edge node. The method of someembodiments provides a novel way of making bandwidth available as anyother user-selectable resource (like compute machines, service machines,network elements, etc.) in the SDDC.

The method in some embodiments receives the request for more bandwidthby first receiving a request to create a traffic group and thenreceiving a list of network addresses that are associated with thetraffic group. The list of network addresses identifies the subset ofthe data message flows to be processed by the second edge node. Thenetwork addresses in some embodiments are network addresses associatedwith interfaces for connecting the machines in the first network toforwarding elements of the first network. In some embodiments, themethod receives the list of network addresses associated with thetraffic group by receiving a prefix of network addresses and thenreceiving a request to associate the prefix of network addresses withthe traffic group. Based on this request, the method then creates anassociation between the traffic group and the received prefix of networkaddresses.

In some embodiments, the method deploys the second edge forwardingelement by configuring the second edge forwarding element to forwarddata messages of the first set to forwarding elements in the externalnetwork, and configuring a set of forwarding elements in the firstnetwork to forward the first set of data message flows from a set ofmachines of the first network to the second edge forwarding element. Theedge forwarding elements in some embodiments are edge routers. Themethod in some of these embodiments configures the second edgeforwarding element by configuring the second edge forwarding element toadvertise to forwarding elements in the external network routes to theset of machines.

The configured set of forwarding elements in the first network in someembodiments includes intervening routers. In some of these embodiments,the method configures the set of intervening routers by providingnext-hop forwarding rules to the set of intervening routers.Alternatively, or conjunctively, the configured set of forwardingelements in some embodiments includes a set of intervening switches thatimplement a logical switch. In these embodiments, the method configuresthe set of intervening switches by providing forwarding rules to the setof intervening switches to direct the switches to forward the first setof data message flows to the second edge forwarding element through aset of tunnels that connect the set of intervening switches to thesecond edge forwarding element.

In some embodiments, the SDDC is a public cloud datacenter with a secondnetwork. In these embodiments, the first network is a private networkthat is defined in the second network to implement a virtual privatecloud (VPC) for the entity in the public cloud datacenter. The firstnetwork is a segregated private physical network in some embodiments,while it is a logical overlay network in other embodiments.

The second edge forwarding element in some embodiments is a gateway inthe public cloud datacenter. In some embodiments, the method deploys thesecond edge forwarding element by deploying the gateway and thenconfiguring a set of forwarding elements in the second network of thepublic cloud datacenter to forward the first set of data message flowsto the deployed gateway.

In some embodiments, the method deploys the first and second edgeforwarding elements by deploying the first and second edge forwardingelements as separate first and second devices in the SDDC. The first andsecond devices are different edge forwarding appliances in someembodiments. In other embodiments, the first and second edge forwardingdevices are two different machines executing on two different hostcomputers.

After receiving the request to allocate more bandwidth to the first setof data message flows, the method of some embodiments receives a requestto allocate more bandwidth to a third set of the data message flows ofthe entity that enter or exit the first network of the SDDC. The methoddeploys for the entity a third edge forwarding element to process thethird set of data message flows in order to allocate more bandwidth tothe third set of the data message flows, while continuing to process thesecond set of data message flows through the default first edge node andto process the first set of data message flows through the second edgenode.

Like the request for allocating more bandwidth for the first set of datamessage flows, the method in some embodiments receives the request formore bandwidth for the third set of data message flows by firstreceiving a request to create another traffic group, receiving anotherprefix of network addresses that identify the third set of data messageflows, and then receiving a request to associate the newly receivedtraffic group with the newly received address prefix. In someembodiments, the address prefixes for the first and third data messageflows can overlap. In such cases, the method resolves the overlap byassigning the overlapping addresses to the traffic group that morespecifically identifies the addresses. For instance, if the first listof addresses for the first data message flow set is specified in termsof a range of IP addresses (192.168.200.0/24) while the second list ofaddresses for the third data message flow set specifies a specificaddress (192.168.200.10) in this range, the method assigns the morespecific address to the second traffic group that identifies the thirddata message flow set.

In some embodiments, the method deploys the second and third edgeforwarding elements by deploying the second and third edge forwardingelements as different forwarding appliances, while in other embodimentsit deploys these forwarding elements by deploying different machinesthat execute on different host computers in the SDDC. Using differenthost computers to implement different edge forwarding elements fordifferent sets of data message flows allows dedicated resources (e.g.,physical network interface cards (PNICs)) of the different hostcomputers to be used for the different sets of data message flows.

The preceding Summary is intended to serve as a brief introduction tosome embodiments of the invention. It is not meant to be an introductionor overview of all inventive subject matter disclosed in this document.The Detailed Description that follows and the Drawings that are referredto in the Detailed Description will further describe the embodimentsdescribed in the Summary as well as other embodiments. Accordingly, tounderstand all the embodiments described by this document, a full reviewof the Summary, the Detailed Description, the Drawings and the Claims isneeded. Moreover, the claimed subject matters are not to be limited bythe illustrative details in the Summary, the Detailed Description andthe Drawings.

BRIEF DESCRIPTION OF FIGURES

The novel features of the invention are set forth in the appendedclaims. However, for purposes of explanation, several embodiments of theinvention are set forth in the following figures.

FIGS. 1-3 illustrate one example of deploying multiple edge gateways inan SDDC in order to allocate additional bandwidth to multiple differentsets of ingress and egress flows to and from machines that are deployedin the SDDC for an entity.

FIG. 4 conceptually illustrates a process performed by the manager andcontroller servers in some embodiments to define and deploy a trafficgroup to allocate additional bandwidth to a set of machines.

FIG. 5 illustrates an example a management user interface of someembodiments for defining and creating traffic groups.

FIG. 6 illustrates a display window that is displayed following aselection of a traffic group control.

FIG. 7 illustrates the addition of a newly created traffic group to thetraffic groups listed in a traffic group pane.

FIG. 8 shows a IP prefix list pane that includes an add IP prefix listcontrol.

FIG. 9 shows the selection of the prefix list control.

FIG. 10 illustrates a display window that is presented after selectionof the prefix list control.

FIG. 11 illustrates a set prefix window, while FIG. 12 illustrates aprefix pane.

FIG. 13 illustrates the set prefix window that display the specifiedprefix along with the user's selection of the apply control to directthe management servers to associate the specified prefix list with theprefix name.

FIG. 14 illustrates the prefix pane after the selection of the applycontrol.

FIGS. 15-18 illustrate the association of a received list of networkaddresses with a traffic group.

FIG. 19 illustrates a computer system with each some embodiments of theinvention can be implemented.

DETAILED DESCRIPTION

In the following detailed description of the invention, numerousdetails, examples, and embodiments of the invention are set forth anddescribed. However, it will be clear and apparent to one skilled in theart that the invention is not limited to the embodiments set forth andthat the invention may be practiced without some of the specific detailsand examples discussed.

Some embodiments of the invention provide a method for deploying edgeforwarding elements in a public or private software defined datacenter(SDDC). For an entity (e.g., tenant, business, department, etc.), themethod deploys a default first edge forwarding element to process datamessage flows between machines of the entity in a first network of theSDDC and machines external to the first network of the SDDC (e.g.,machines outside of the SDDC). The method subsequently receives arequest to allocate more bandwidth to a first set of the data messageflows entering or exiting the first network of the SDDC.

In response, the method deploys a second edge forwarding element toprocess the first set of data message flows of the entity in order toallocate more bandwidth to the first set of the data message flows,while continuing to process a second set of data message flows of theentity through the default first edge node. The method of someembodiments provides a novel way of making bandwidth available as anyother user-selectable resource (like compute machines, service machines,network elements, etc.) in the SDDC.

The method in some embodiments receives the request for more bandwidthby first receiving a request to create a traffic group and thenreceiving a list of network addresses that are associated with thetraffic group. The list of network addresses identifies the subset ofthe data message flows to be processed by the second edge node. Thenetwork addresses in some embodiments are network addresses associatedwith interfaces for connecting the machines in the first network toforwarding elements of the first network. In some embodiments, themethod receives the list of network addresses associated with thetraffic group by receiving a prefix of network addresses and thenreceiving a request to associate the prefix of network addresses withthe traffic group. Based on this request, the method then creates anassociation between the traffic group and the received prefix of networkaddresses.

In some embodiments, the method deploys the second edge forwardingelement by configuring the second edge forwarding element to forwarddata messages of the first set to forwarding elements in the externalnetwork, and configuring a set of forwarding elements in the firstnetwork to forward the first set of data message flows from a set ofmachines of the first network to the second edge forwarding element. Theedge forwarding elements in some embodiments are edge routers. Themethod in some of these embodiments configures the second edgeforwarding element by configuring the second edge forwarding element toadvertise to forwarding elements in the external network routes to theset of machines.

After receiving the request to allocate more bandwidth to the first setof data message flows, the method of some embodiments receives a requestto allocate more bandwidth to a third set of the data message flows ofthe entity that enter or exit the first network of the SDDC. The methoddeploys for the entity a third edge forwarding element to process thethird set of data message flows in order to allocate more bandwidth tothe third set of the data message flows, while continuing to process thesecond set of data message flows through the default first edge node andto process the first set of data message flows through the second edgenode.

Like the request for allocating more bandwidth for the first set of datamessage flows, the method in some embodiments receives the request formore bandwidth for the third set of data message flows by firstreceiving a request to create another traffic group, receiving anotherprefix of network addresses that identify the third set of data messageflows, and then receiving a request to associate the newly receivedtraffic group with the newly received address prefix. In someembodiments, the address prefixes for the first and third data messageflows can overlap. In such cases, the method resolves the overlap byassigning the overlapping addresses to the traffic group that morespecifically identifies the addresses.

For instance, if the first list of addresses for the first data messageflow set is specified in terms of a range of IP addresses(192.168.200.0/24) while the second list of addresses for the third datamessage flow set specifies a specific address (192.168.200.10) in thisrange, the method assigns the more specific address to the secondtraffic group that identifies the third data message flow set.Alternatively, the first list of addresses can be specified in terms ofa first range of IP addresses (192.168.200.0/24) and the second list ofaddresses can be specified as a smaller second range of IP addresses(192.168.200.0/32) within the first range. In such a case, the methodassigns the more specific addresses (i.e., the smaller range192.168.200.0/32) to the second traffic group that identifies the thirddata message flow set and the remaining IP addresses in the larger range(the remaining addresses in 192.168.200.0/24) to the first trafficgroup.

In some embodiments, the method deploys the second and third edgeforwarding elements by deploying the second and third edge forwardingelements as different forwarding appliances, while in other embodimentsit deploys these forwarding elements by deploying different machinesthat execute on different host computers in the SDDC. Using differenthost computers for different sets of data message flows allows differentresources (e.g., different physical network interface cards (PNICs)) ofthe different host computers to be used for the different sets of datamessage flows.

As used in this document, data messages refer to a collection of bits ina particular format sent across a network. One of ordinary skill in theart will recognize that the term data message is used in this documentto refer to various formatted collections of bits that are sent across anetwork. The formatting of these bits can be specified by standardizedprotocols or non-standardized protocols. Examples of data messagesfollowing standardized protocols include Ethernet frames, IP packets,TCP segments, UDP datagrams, etc. Also, as used in this document,references to L2, L3, L4, and L7 layers (or layer 2, layer 3, layer 4,and layer 7) are references respectively to the second data link layer,the third network layer, the fourth transport layer, and the seventhapplication layer of the OSI (Open System Interconnection) layer model.

The edge forwarding elements in some embodiments are edge gateways thatconnect the private first network of the entity to external networks(e.g., to the network of the SDDC or to external networks outside of theSDDC). FIGS. 1-3 illustrate one example of deploying multiple edgegateways in an SDDC in order to allocate additional bandwidth tomultiple different sets of ingress and egress flows to and from machinesthat are deployed in the SDDC for an entity. In this example, the SDDCis a public cloud availability zone 102 in which a virtual private cloud(VPC) 100 has been defined for an entity, which in this example is atenant of the private cloud. An availability zone in some embodimentsincludes one datacenter or more than one datacenters that are near eachother. Although FIGS. 1-3 illustrate the use of some embodiments in apublic cloud context, one of ordinary skill will realize that someembodiments of the invention can similarly be implemented in privatedatacenters.

For the entity, the VPC 100 includes a private network 105 formed byseveral forwarding elements (e.g., switches and routers), which are notshown in these figures to avoid obscuring these figures with unnecessarydetail. The forwarding elements include software forwarding elements(e.g., software switches and/or routers) and middlebox elements (e.g.,firewall, load balancers, etc.) executing on multi-tenant host computers115 along with machines 110 that have been deployed for the entity. Insome embodiments, the forwarding elements also include hardwareforwarding elements and/or middlebox elements (e.g., hardware switchingand/or router appliances, and/or middlebox appliances).

In some embodiments, the private network 105 is established by shardingthe internal network address space of the private cloud, and providing aset of internal network addresses to the private network 105 that doesnot overlap with the internal network addresses provided to any othertenant of the VPC. In other embodiments, the private network 105 is alogical overlay network that is formed by establishing tunnels betweenthe forwarding elements of the private network and having the forwardingelements exchange data messages through these tunnels, e.g., byencapsulating the data messages with tunnel headers that allow the datamessages to be exchanged between the forwarding elements, whilepreserving the original data message headers that contain networkaddresses defined in the logical address space. In some embodiments, thelogical address space of one tenant might overlap with the logicaladdress space of another tenant but this does not matter because of theencapsulating tunnel headers.

FIG. 1 illustrates a default gateway 120 that is initially deployed by aset of controllers 130 to connect the VPC network 105 with a firstexternal network. The first external network in this example is anetwork inside of the public cloud datacenter 102. In this example, anyVPC gateway (including the default gateway 120) connects to (i.e.,forwards packets to) one or more gateways 135 of the public clouddatacenter 102, which communicates with an external network 145 outsideof the public cloud datacenter 102. In other embodiments, a VPC gateway(including the default gateway 120) connects directly to the externalnetwork 145 without having to go through any gateway 135 of the publiccloud datacenter 102.

In some embodiments, the controller set 130 configures the defaultgateway 120 to forward ingress data messages to the VPC network from thecloud gateway 135, and egress data messages from the VPC network to thecloud gateway 135. The controller set in some embodiments alsoconfigures the forwarding elements in the VPC network 105 to forward theegress data message to the default gateway 120, and the ingress datamessages to the machines 110 of the VPC network.

FIG. 2 illustrates the VPC 100 after a gateway 220 has been created fora first traffic group (TG). This traffic group includes a set ofmachines 200, including machines 110 d and 110 e. The machine set 200 insome embodiments includes a group of machines for which an administratorof the entity has requested more bandwidth. In some embodiments, theadministrator requests this extra bandwidth by first creating thetraffic group in a management portal provided by a set of managerservers 125, and then providing a list of network addresses that areassociated with the traffic group.

In some embodiments, the list of network addresses are network addressesassociated with interfaces for connecting the machines in the machineset 200 to forwarding elements in the VPC network 105. In someembodiments, the administrator provides the list of network addressesassociated with the traffic group by first providing a prefix of networkaddresses and then requesting that this prefix of network addresses beassociated with the traffic group. Based on this request, the managerservers 125 direct the controller servers 130 to create an associationbetween the traffic group and the received prefix of network addresses.

The administrator provided list of network addresses for the first TGidentifies the subset of the data message flows to be processed by thefirst traffic group's gateway 220. Specifically, for the first trafficgroup, the controller set 130 deploys the first TG gateway 220. In someembodiments, it is important for the same TG gateway to process ingressand egress data messages flow for the traffic group machines, as thegateway needs to maintain state and/or performs stateful middleboxservices (such as firewall, load balancing, etc.) for the traffic group.In some embodiments, each gateway (e.g., the default gateway, and eachTG gateway) maintains state and/or preforms stateful middlebox serviceson ingress and/or egress traffic entering and/or exiting the VPCnetwork.

In some of these embodiments, the controller set employsdestination-side routing to ensure that the cloud gateway 135 forwardsall of the ingress data messages to the first traffic group (i.e., allthe data messages that are destined to the list of network addressesprovided for the first traffic group) to the TG gateway 220, andsource-side routing to ensure that the forwarding elements of the VPCnetwork 105 forward all the egress data messages from the first trafficgroup (i.e., all the egress data messages from the list of networkaddresses provided by the first traffic group) to the TG gateway 220.

More specifically, the controller set 130 configures the cloud gateway135 to forward to the first TG gateway 220 ingress data messages thatare destinated to the network address provided for the first trafficgroup. The controller set 130 also configures the first TG gateway 220to forward these ingress data messages to the VPC network 105 from thecloud gateway 135, and egress data messages from the first TG machines200 to the cloud gateway 135. In some embodiments, the controllerservers also configure the first TG gateway 220 to advertise routes tothe list of TG-associated network addresses to the cloud gateway 135.The controller set 130 in some embodiments also configures theforwarding elements in the VPC network 105 to forward the egress datamessage with source addresses in the provided list of address of thefirst traffic group (i.e., all the egress data messages from the set ofmachines 200 of the first traffic group) to the first TG gateway 220. Italso configures these forwarding elements to forward the ingress datamessages that are destined to the TG-associated network addresses to themachine set 200.

The forwarding elements in the VPC network 105 in some embodimentsinclude intervening routers. The controller set 130 configures theseintervening routers in the VPC network 105 in some embodiments byproviding next-hop forwarding rules to the set of intervening routers.Alternatively, or conjunctively, the configured set of forwardingelements in some embodiments includes a set of intervening switches thatimplement a logical switch. In these embodiments, the method configuresthe set of intervening switches by providing forwarding rules to the setof intervening switches to direct the switches to forward the first setof data message flows to the first TG gateway 220 through tunnels thatconnect the set of intervening switches to the first TG gateway 220.

FIG. 3 illustrates the VPC 100 after a gateway 320 has been created fora second traffic group (TG). This traffic group includes a set ofmachines 300, including machines 110 b and 110 c. The machine set 300 insome embodiments includes a group of machines for which the entityadministrator has requested more bandwidth. In some embodiments, theadministrator requests this extra bandwidth by first creating the secondtraffic group in the management portal, and then providing a list ofnetwork addresses that are associated with the second traffic group. Theprovided list of addresses in some embodiments are network addressesassociated with interfaces for connecting the machines in the machineset 300 to forwarding elements in the VPC network 105. Like theaddresses for the first traffic group, the administrator in someembodiments provides the network addresses for the second traffic groupby first providing a prefix of network addresses and then requestingthat this prefix of network addresses be associated with the secondtraffic group. Based on this request, the manager set 125 directs thecontroller set 130 to create an association between the second trafficgroup and the prefix of network addresses received for this group.

For the second traffic group, the controller set 130 deploys the secondTG gateway 320. As it did for the first traffic group, the controllerset employs destination-side routing to ensure that the cloud gateway135 forwards all of the ingress data messages to the second trafficgroup (i.e., all the data messages that are destined to the list ofnetwork addresses provided for the second traffic group) to the secondTG gateway 320, and source-side routing to ensure that the forwardingelements of the VPC network 105 forward all the egress data messagesfrom the second traffic group (i.e., all the egress data messages fromthe list of network addresses provided by the second traffic group) tothe second TG gateway 320.

The controller set 130 also configures the second TG gateway 320 toforward the ingress data messages to the VPC network 105 from the cloudgateway 135, and egress data messages from the second TG machines 300 tothe cloud gateway 135. In some embodiments, the controller set alsoconfigures the second TG gateway 320 to advertise routes to the networkaddresses associated with the second traffic group to the cloud gateway135. The controller set 130 in some embodiments also configures theforwarding elements in the VPC network 105 to forward ingress datamessages that are destined to the second TG-associated network addressesto the machine set 300.

After the controller set 130 configures the first TG and second TGgateways 220 and 320, the first gateway 220 forwards all of the ingressand egress traffic for the first traffic group machines, the secondgateway 320 forwards all of the ingress and egress traffic for thesecond traffic group machines, and the default gateway 120 forwards allof the ingress and egress traffic for entity machines that are not inthe first and second traffic groups.

In some embodiments, each gateway 120, 220 or 320 is logical gatewaythat implemented by a high-availability (HA) pair of physical gateways,which are in an HA active-standby configuration, as further describedbelow. Also, each gateway is deployed as a separate appliance in someembodiments. In other embodiments, each gateway is deployed as a machinethat executes on a host computer (e.g., a multi-tenant host computer ora standalone host computer). In some of these embodiments, the differentgateways are deployed on different host computers in order to maximizethe throughput of each gateway. Using different host computers toimplement different gateway for different traffic groups allowsdedicated resources (e.g., physical network interface cards (PNICs)) ofthe different host computers to be used for the data message flows ofthe different traffic groups.

FIG. 4 conceptually illustrates a process 400 performed by the managerand controller servers 125 and 130 in some embodiments to define anddeploy a traffic group to allocate additional bandwidth to a set ofmachines. This process will be explained by reference to FIGS. 5-18 ,which illustrate an administrator's interaction with a management userinterface (UI) 500 to create and define the traffic group. Themanagement servers 125 in some embodiments provide this UI and processthe administrator requests that are made through this UI.

As shown, the process 400 starts the management UI 500 (at 405) receivesadministrator's request to create the traffic group and creates atraffic group (e.g., created a traffic group object) in response to thisrequest. FIG. 5 illustrates an example the management UI 500.Specifically, it illustrates a traffic group pane 505 that is displayedwhen the administrator (i.e., the user) selects the traffic groupcontrol 502 in the side panel 507 that lists the network and securitycontrols 508. The traffic pane 505 includes two tabs, the traffic groupspane 504 and IP prefix list pane 506. In FIG. 5 , the traffic groupspane 504 is being shown with one previously created traffic group estg1,and the user is selecting the add traffic group control 510 through acursor click operation, as shown.

FIG. 6 illustrates a display window 600 that is displayed following theselection of the add traffic group control 510 by the management servers125. It also illustrates the user providing a name (estg2) for thistraffic group in the name field 605, and saving this newly createdtraffic group by selecting the save control 610 through a cursor clickoperation. FIG. 7 illustrates the addition of this newly created trafficgroup estg2 to the traffic groups that are listed on the traffic grouppane 505.

After creating (at 405) the traffic group, the process 400 receives fromthe user a list of network addresses that will subsequently beassociated with the traffic group. In some embodiments, a user canprovide the list of addresses before the creation of the traffic groupwith which they will later be associated. The process 400 stores thereceived list of network addresses as an IP prefix list.

FIGS. 8-14 illustrate an administrator's interaction with the managementUI 500 to create and define an IP prefix list. FIG. 8 shows the IPprefix list pane 506 that includes an add IP prefix list control 800,while FIG. 9 shows the selection of this control 900 through a cursorclick operation. FIG. 10 illustrates a display window 1000 that ispresented after this selection. It also displays that in a prefix namefield 1005, the user has specified a prefix name (espfxl1). It furtherdisplays the user's selection of a set control 1010, which results inthe opening of a set prefix window 1100 illustrated in FIG. 11 .

In the set prefix window 1100 the user selects an add prefix control1105, which directs the UI 500 to display a prefix pane 1200 illustratedin FIG. 12 . In this pane 1200, the user specifies one or more IPprefixes. In this example, one IP prefix (192.168.200.0/24) has beenspecified. After specifying the IP prefix, the user selects an addcontrol 1205, which then causes the set prefix window 1100 to displaythe specified prefix. This display is shown in FIG. 13 , along with theuser's selection of the apply control 1300 to direct the managementservers to associate the specified prefix list with the prefix name.FIG. 14 illustrates the prefix pane 506, which after the selection ofthe apply control 1300 in FIG. 13 now displays “1” for the prefixes thathave been defined for the prefix name espfxl1. FIG. 14 also shows theuser's selection of a save control 1400 that directs the managementservers to save the specified prefix list espfxl1, which includes itsname and its specified set of IP prefixes.

After receiving (at 410) from the user a list of network addresses, theprocess 400 receives a request from the user to associate the receivedlist of network addresses with the traffic group specified at 405. FIGS.15-18 illustrate an example of this association request for someembodiments. FIG. 15 illustrates the user's invocation of a set ofcontrols 1500 for the specified traffic group. In some embodiments, theuser invokes this control set 1500 through a cursor (e.g., a right handclick) operation or a keyboard operation with respect to the trafficgroup name (estg2) that is displayed in the traffic group pane 505.

FIG. 15 also illustrates the user's selection of an edit control 1505 inthe control set 1500. This selection results in the display of a mappingwindow 1600 of FIG. 16 . As shown, the mapping window has an add-mappingcontrol 1605 that allows the user to specify one or more IP prefixmappings to a traffic group (e.g., estg1). Each mapping has a name thatcan be entered through the name field 1610, a gateway name that can beentered through the gateway field 1620, and a mapped IP prefix that canbe entered through the prefix drop-down list 1615. To map the trafficgroup to multiple IP prefixes, the add-mapping control 1605 in someembodiments has to be invoked multiple times, once for each mapping.

FIG. 16 shows the mapping of the traffic group estg1 to the prefix listesprfxl1. It also shows that the name for this mapping is esmap1 and thename of the gateway is compute gateway. This name is indicative of themachines that are associated with the specified IP prefix esprfxl1 inthis example. FIG. 17 illustrates the selection of a save control 1700of the mapping window 1600 after the various values have been specifiedin the mapping window for the traffic group estg1. FIG. 18 thenillustrates traffic group pane 505 after this save operation. As shown,the traffic group pane 505 displays the attributes of the estg1, whichnow include the mapping esmap1 to the IP prefix esprfxl1.

Once the specified traffic group is associated with a specified list ofnetwork addresses, the management servers 125 direct (at 420) thecontroller servers to deploy a gateway for the traffic group and toconfigure the SDDC routers to forward data message traffic for thetraffic group's associated IP prefix through this gateway. Thecontroller servers 130 in some embodiments deploy (at 425) the TGgateway as an HA pair of physical gateways, with one physical gatewayserving as the active gateway and the other physical gateway serving asa standby gateway. In some embodiments, each physical gateway isdeployed as a machine (e.g., virtual machine) executing on a hostcomputer in the SDDC, and the gateways in the active/standby pair aredeployed on different host computers for HA purposes.

After deploying the TG gateway, the controller servers 130 configure (at430) the cloud gateways (e.g., gateway 135) to direct all ingress datamessage to the entity's VPC that are destined to the received trafficgroup's list of IP addresses (e.g., to the TG's IP prefix) to the TGgateway that was deployed at 425. As mentioned above, the controllerservers configure the cloud gateway by providing next-hop forwardingrules that identify the TG gateway as the next hop of ingress datamessages that have destination IP addresses in the IP prefix.

Next, at 435, the controller servers 130 configure the routers thatimplement the VPC to direct all egress data message exiting the entity'sVPC that are from sources with the received traffic group's list of IPaddresses (e.g., from the TG's IP prefix) to the TG gateway that wasdeployed at 425. As mentioned above, the controller servers configurethe VPC implementing routers by providing next-hop forwarding rules thatidentify the TG gateway as the next hop of ingress data messages thathave source IP addresses in the IP prefix. After 435, the process ends.

Many of the above-described features and applications are implemented assoftware processes that are specified as a set of instructions recordedon a computer readable storage medium (also referred to as computerreadable medium). When these instructions are executed by one or moreprocessing unit(s) (e.g., one or more processors, cores of processors,or other processing units), they cause the processing unit(s) to performthe actions indicated in the instructions. Examples of computer readablemedia include, but are not limited to, CD-ROMs, flash drives, RAM chips,hard drives, EPROMs, etc. The computer readable media does not includecarrier waves and electronic signals passing wirelessly or over wiredconnections.

In this specification, the term “software” is meant to include firmwareresiding in read-only memory or applications stored in magnetic storage,which can be read into memory for processing by a processor. Also, insome embodiments, multiple software inventions can be implemented assub-parts of a larger program while remaining distinct softwareinventions. In some embodiments, multiple software inventions can alsobe implemented as separate programs. Finally, any combination ofseparate programs that together implement a software invention describedhere is within the scope of the invention. In some embodiments, thesoftware programs, when installed to operate on one or more electronicsystems, define one or more specific machine implementations thatexecute and perform the operations of the software programs.

Some embodiments include electronic components, such as microprocessors,that store computer program instructions in a machine-readable orcomputer-readable medium (alternatively referred to as computer-readablestorage media, machine-readable media, or machine-readable storagemedia). Some examples of such computer-readable media include RAM, ROM,read-only compact discs (CD-ROM), recordable compact discs (CD-R),rewritable compact discs (CD-RW), read-only digital versatile discs(e.g., DVD-ROM, dual-layer DVD-ROM), a variety of recordable/rewritableDVDs (e.g., DVD-RAM, DVD-RW, DVD+RW, etc.), flash memory (e.g., SDcards, mini-SD cards, micro-SD cards, etc.), magnetic and/or solid statehard drives, read-only and recordable Blu-Ray® discs, ultra-densityoptical discs, any other optical or magnetic media, and floppy disks.The computer-readable media may store a computer program that isexecutable by at least one processing unit and includes sets ofinstructions for performing various operations. Examples of computerprograms or computer code include machine code, such as is produced by acompiler, and files including higher-level code that are executed by acomputer, an electronic component, or a microprocessor using aninterpreter.

While the above discussion primarily refers to microprocessor ormulti-core processors that execute software, some embodiments areperformed by one or more integrated circuits, such as applicationspecific integrated circuits (ASICs) or field programmable gate arrays(FPGAs). In some embodiments, such integrated circuits executeinstructions that are stored on the circuit itself.

As used in this specification, the terms “computer”, “server”,“processor”, and “memory” all refer to electronic or other technologicaldevices. These terms exclude people or groups of people. For thepurposes of the specification, the terms “display” or “displaying” meandisplaying on an electronic device. As used in this specification, theterms “computer readable medium,” “computer readable media,” and“machine readable medium” are entirely restricted to tangible, physicalobjects that store information in a form that is readable by a computer.These terms exclude any wireless signals, wired download signals, andany other ephemeral or transitory signals.

FIG. 19 conceptually illustrates a computer system 1900 with which someembodiments of the invention are implemented. The computer system 1900can be used to implement any of the above-described hosts, controllers,and managers. As such, it can be used to execute any of the abovedescribed processes. This computer system includes various types ofnon-transitory machine readable media and interfaces for various othertypes of machine readable media. Computer system 1900 includes a bus1905, processing unit(s) 1910, a system memory 1925, a read-only memory1930, a permanent storage device 1935, input devices 1940, and outputdevices 1945.

The bus 1905 collectively represents all system, peripheral, and chipsetbuses that communicatively connect the numerous internal devices of thecomputer system 1900. For instance, the bus 1905 communicativelyconnects the processing unit(s) 1910 with the read-only memory 1930, thesystem memory 1925, and the permanent storage device 1935.

From these various memory units, the processing unit(s) 1910 retrieveinstructions to execute and data to process in order to execute theprocesses of the invention. The processing unit(s) may be a singleprocessor or a multi-core processor in different embodiments. Theread-only-memory (ROM) 1930 stores static data and instructions that areneeded by the processing unit(s) 1910 and other modules of the computersystem. The permanent storage device 1935, on the other hand, is aread-and-write memory device. This device is a non-volatile memory unitthat stores instructions and data even when the computer system 1900 isoff. Some embodiments of the invention use a mass-storage device (suchas a magnetic or optical disk and its corresponding disk drive) as thepermanent storage device 1935.

Other embodiments use a removable storage device (such as a floppy disk,flash drive, etc.) as the permanent storage device. Like the permanentstorage device 1935, the system memory 1925 is a read-and-write memorydevice. However, unlike storage device 1935, the system memory is avolatile read-and-write memory, such as random access memory. The systemmemory stores some of the instructions and data that the processor needsat runtime. In some embodiments, the invention's processes are stored inthe system memory 1925, the permanent storage device 1935, and/or theread-only memory 1930. From these various memory units, the processingunit(s) 1910 retrieve instructions to execute and data to process inorder to execute the processes of some embodiments.

The bus 1905 also connects to the input and output devices 1940 and1945. The input devices enable the user to communicate information andselect requests to the computer system. The input devices 1940 includealphanumeric keyboards and pointing devices (also called “cursor controldevices”). The output devices 1945 display images generated by thecomputer system. The output devices include printers and displaydevices, such as cathode ray tubes (CRT) or liquid crystal displays(LCD). Some embodiments include devices such as touchscreens thatfunction as both input and output devices.

Finally, as shown in FIG. 19 , bus 1905 also couples computer system1900 to a network 1965 through a network adapter (not shown). In thismanner, the computer can be a part of a network of computers (such as alocal area network (“LAN”), a wide area network (“WAN”), or anIntranet), or a network of networks (such as the Internet). Any or allcomponents of computer system 1900 may be used in conjunction with theinvention.

While the invention has been described with reference to numerousspecific details, one of ordinary skill in the art will recognize thatthe invention can be embodied in other specific forms without departingfrom the spirit of the invention. For instance, several of theabove-described embodiments allocate more bandwidth to a set of datamessage flows by having an administrator request the creation of a newtraffic group, associating a set of network addresses with this trafficgroup, and then deploying a new gateway for the traffic group in orderto process ingress/egress traffic associated with the set of networkaddresses. Other embodiments, however, have the administrator simplyrequest a specific amount (e.g., a certain amount of bytes/second) or ageneral amount (e.g., high, medium, low, etc.) of ingress/egressbandwidth for a set of data message flows. Thus, one of ordinary skillin the art would understand that the invention is not to be limited bythe foregoing illustrative details, but rather is to be defined by theappended claims.

1-20. (canceled)
 21. A method of providing bandwidth as a resource in asoftware defined datacenter (SDDC), the method comprising: providing,through a user interface, a first set of controls to request additionalbandwidth to process a first set of data message flows entering orexiting the SDDC; deploying a dedicated first edge forwarding element toprocess the first set of data message flows in order to allocate morebandwidth to the first set of the data message flows; and using apreviously deployed second edge forwarding element to process a secondset of data message flows entering or exiting the SDDC.
 22. The methodof claim 21, wherein the second edge forwarding element is a defaultedge forwarding element.
 23. The method of claim 21 further comprisingproviding, through the user interface, a second set of controls todefine a set of network addresses serving as source or destinationnetwork addresses for the first set of data message flows.
 24. Themethod of claim 23, wherein the second set of controls comprises asubset of controls to receive a prefix of network addresses that areassociated with the first set of data message flows.
 25. The method ofclaim 23, wherein the set of network addresses is a set of networkaddresses associated with interfaces for connecting a set of machines ina first network of the SDDC to forwarding elements of the first network,the set of machines serving as sources or destinations of the first setof data message flows.
 26. The method of claim 21, wherein deploying thededicated edge forwarding element comprises: configuring the dedicatededge forwarding element to forward data messages of the first set toforwarding elements in a network external to a first network of the SDDCassociated with the set of network addresses; configuring a set offorwarding elements in the first network to forward data message flowsin the first set of data message flows from a set of machines of thefirst network to the dedicated edge forwarding element.
 27. The methodof claim 26, wherein the edge forwarding elements are edge routers, andconfiguring the dedicated edge forwarding element comprises configuringthe dedicated edge forwarding element to advertise to forwardingelements in the external network routes associated with the set ofnetwork addresses
 28. The method of claim 26, wherein the set offorwarding elements comprises a set of intervening routers, andconfiguring the set of forwarding elements comprises providing next-hopforwarding rules to the set of intervening routers.
 29. The method ofclaim 26, wherein the set of forwarding elements comprises a set ofintervening switches that implement a logical switch, and configuringthe set of forwarding elements comprises providing forwarding rules tothe set of intervening switches to direct the switches to forward datamessages of the first set to the second edge forwarding element througha set of tunnels that connect the set of intervening switches to thesecond edge forwarding element.
 30. The method of claim 26 furthercomprising configuring a gateway of the SDDC to forward data messageflows with destination IP addresses in the set of network addresses tothe dedicated edge forwarding element.
 31. A non-transitory machinereadable medium storing a program for providing dedicated bandwidth as aresource in a software defined datacenter (SDDC), the program forexecution by at least one processing unit of a computer, the programcomprising sets of instructions for: providing, through a userinterface, a first set of controls to request additional bandwidth toprocess a first set of data message flows entering or exiting the SDDC;deploying a dedicated first edge forwarding element to process the firstset of data message flows in order to allocate more bandwidth to thefirst set of the data message flows; and using a previously deployedsecond edge forwarding element to process a second set of data messageflows entering or exiting the SDDC.
 32. The non-transitory machinereadable medium of claim 31, wherein the second edge forwarding elementis a default edge forwarding element.
 33. The non-transitory machinereadable medium of claim 31, wherein the program further comprises a setof instructions for providing, through the user interface, a second setof controls to define a set of network addresses serving as source ordestination network addresses for the first set of data message flows.34. The non-transitory machine readable medium of claim 33, wherein thesecond set of controls comprises a subset of controls to receive aprefix of network addresses that are associated with the first set ofdata message flows.
 35. The non-transitory machine readable medium ofclaim 33, wherein the set of network addresses is a set of networkaddresses associated with interfaces for connecting a set of machines ina first network of the SDDC to forwarding elements of the first network,the set of machines serving as sources or destinations of the first setof data message flows.
 36. The non-transitory machine readable medium ofclaim 31, wherein the set of instructions for deploying the dedicatededge forwarding element comprises sets of instructions for: configuringthe dedicated edge forwarding element to forward data messages of thefirst set to forwarding elements in a network external to a firstnetwork of the SDDC associated with the set of network addresses;configuring a set of forwarding elements in the first network to forwarddata message flows in the first set of data message flows from a set ofmachines of the first network to the dedicated edge forwarding element.37. The non-transitory machine readable medium of claim 36, wherein theedge forwarding elements are edge routers, and the set of instructionsfor configuring the dedicated edge forwarding element a set ofinstructions for comprises configuring the dedicated edge forwardingelement to advertise to forwarding elements in the external networkroutes associated with the set of network addresses
 38. Thenon-transitory machine readable medium of claim 36, wherein the set offorwarding elements comprises a set of intervening routers, and the setof instructions for configuring the set of forwarding elements comprisesa set of instructions for providing next-hop forwarding rules to the setof intervening routers.
 39. The non-transitory machine readable mediumof claim 36, wherein the set of forwarding elements comprises a set ofintervening switches that implement a logical switch, and the set ofinstructions for configuring the set of forwarding elements comprises aset of instructions for providing forwarding rules to the set ofintervening switches to direct the switches to forward data messages ofthe first set to the second edge forwarding element through a set oftunnels that connect the set of intervening switches to the second edgeforwarding element.
 40. The non-transitory machine readable medium ofclaim 36, wherein the program further comprises a set of instructionsfor configuring a gateway of the SDDC to forward data message flows withdestination IP addresses in the set of network addresses to thededicated edge forwarding element.